powershell scripts that use this capability for troubleshooting.

t1003
t1059
windows
elastic

Techniques

T1003
T1059

Sample rules

PowerShell MiniDump Script

source: elastic
technicques:
- T1003
- T1059

Description

Detects PowerShell scripts referencing MiniDumpWriteDump or full-memory minidump types, which can capture process memory. Attackers often use this technique to dump credential-bearing processes like LSASS for credential theft.

Detection logic

event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18"